Example: IDP Series HA Design for IDP8200 with 10 Gigabyte Fiber Interfaces (NSRP)

Due to a hardware limitation, we do not support interface signaling or peer port modulation for IDP8200 10 gigabyte fiber interfaces. You can deploy these devices in a redundant path deployment that uses the NetScreen redundancy protocol (NSRP). The following sections provide details:

Topoloogy

Figure 11 shows a firewall deployment where there are redundant paths to the Internet. One path is active and the other is passive.

Figure 11: Redundant Path Design: IDP8200 in a Firewall Deployment

Image g036670.gif

If the IDP Series device becomes a point of failure, the NetScreen Track IP feature can detect this and trigger failover to the redundant path.

Note: This is the same topology as Example: IDP Series HA Design with a Juniper Networks SSG Series Firewalls.

Deployment Steps

To deploy this solution, follow these basic steps:

  1. Set up and configure the SSG Series firewalls using the documentation that came with your firewall. Note the following requirements.

    Table 9: Firewall Configuration Guidelines

    Component

    Guideline

    Firewall

    Essentially, deploy the SSG Series devices in an active-passive HA cluster as you normally would (without regard to the IDP Series devices). To establish a preferred primary and secondary path, you use NSRP priorities, with preemption.

    Failure detection mechanism

    To detect its own failures, you can configure the firewall to monitor the status of its own interfaces. If the untrusted or trusted interface goes down, the firewall initiates hot-standby failover to its backup, forcing all sessions to pass through the other path.

    To detect IDP Series failure, configure the firewall to use Track IP to monitor connection failure between itself and a list of Track IP hosts. The Track IP features sends ARP and ping traffic to the target hosts. If the value of the Track IP failure exceeds the user-specified threshold, the firewall decides the path is unavailable and initiates failover to the redundant path. Configure Track IP targets on the other side of the IDP Series device. When the IDP Series device is down, the ARP or ping traffic will fail, signaling to the firewall that the path is unavailable.

    When the configured Track IP failure threshold is reached, the firewall initiates failover. All sessions (old sessions initiated before the failover and new sessions initiated after the failover) are forced to the other path.

    I had thought there was another NSRP option, but after rereading the documentation, I think this is it. Please correct me here if I am missing another NSRP option that will work.
  2. Set up and configure the IDP Series devices. Note that interface signaling and peer port modulation must be disabled when deploying the IDP8200 with 10 gigabyte fiber interfaces.

    Table 10: IDP Series Configuration Guidelines

    Component

    Guideline

    IDP Series device hardware

    Use a cross-over cable to connect one device HA port to the other HA port.

    Cluster

    Same as in the firewall topic. I will copy after incorporating review comments.

    State sync

    Same as in the firewall topic. I will copy after incorporating review comments.

    Layer 2 bypass

    Use ACM to enable Layer 2 bypass.

    Interface signaling

    Must be disabled.

    In the user_funcs file, comment the ha_interface_signal setting or change it to 0, as highlighted in the following example:

     #########################################################################
    #                             VARIABLES
    #########################################################################
    
    [...]
    #Enable or disable interface based third-party HA signaling
    
    #Enable or disable interface based third-party HA signaling
    #Setting this variable to 1,indicated that interface based
    #HA signaling should be used, and setting it to 1 indicates
    #to block STP and similar kind of traffic to enable traffic
    #switch-over by third-party HA devices.
    
    export ha_interface_signal=0
    
    # 'max_intf_recv_failed_cnt_nicbypass' - The maximum count value for any
    # data interface indicating the number of times the packet could not
    # be received by that interface. If the count for any interface reaches
    # this value nicBypass gets triggered.
    #  **WARNING**: Changing the value would require running 'idp.sh restart'.
    
    export max_intf_recv_failed_cnt_nicbypass=18
    
    # Define SCIO
    SCIO=/usr/idp/device/bin/scio
    

    Peer port modulation

    In ACM, ensure PPM is disabled.

Related Documentation